Here’s an explanation from CNET of how the exploit works: “The technology behind the exploit re-routes in-app purchase requests. Instead of going to Apple, or a developer’s secured server, they go to an external server which pretends to be Apple giving it the OK. The setup requires installing two special security certificates on the phone, as well as making purchases when on Wi-Fi with modified DNS settings, meaning it doesn’t just work without some modifications.”
The website that hosted the details on how to enable it has already been given a takedown notice, so I guess that’s the first step. We’ll keep you posted on what happens next.